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PAGEABLE FILTER DRIVER FOR Another object of the invention is to use facilities avail- 

PROSPECTIVE IMPLEMENTATION OF DISK able in the kernel of the operating system, including syn- 

SPACE QUOTAS chronization facilities. 

A further object of the invention is to be implemented in 

This patent application is a continuation in part of 5 pageable code, 

provisional application 60/067,671 of the same title filed on present invention is a filter driver for implementing 

Dec. 5, 1997. S p aC e- quotas. Quota limits on disk space taken up by 

BACKGROUND OF THE INVENTION ^^ es m tne svstem are established for users and 

, _. . e _ . directories, and an internal database is established to track 

1. Field of the Invention 10 quotas agaiQst actual ^ space ulilization . A driver m 

The present invention generally relates to devices for accordance with the invention uses kernel resources of the 

managing and controlling the allocation of disk space under operating system to prevent execution of file system I/O 

an operating system, and more particularly to filter driver operations which would violate any established quota. In 

techniques for for implementing disk space quotas. d 0 i ng ^ tne driver executes a logic in kernel mode which 

2. Background Description 15 serializes file allocation operations and also serializes access 
Disk space quotas limit the amount of disk space that can to the internal database. 

be consumed by users on a system. Disk space is a resource The first step in this logic is to intercept file system I/O 

that is necessary for proper system operation. In the absence requests before they reach the file system driver. Then the 

of an enforceable disk space quota system, users are free to driver determines prospectively — before the I/O request is 

allocate as much disk space as they wish. This situation can completed — whether any quota would be exceeded by 

interfere with system operation, as other users, as well as the completion of the I/O request. If a quota would be exceeded, 

operating system itself, may be unable to allocate disk space completion of the I/O request is blocked and an error status 

when it is needed. A disk space quota system allows system is issued. If a quota would not be exceeded, the I/O request 

managers to set the maximum amount of disk space that is allowed to complete and the driver's internal database is 

each user may consume, ensuring that there will always be updated with revised disk space utilization data, 

adequate space available for system operation. invention includes a file system filter driver that has 

While quota systems are implemented in many operating the responsibility of monitoring disk space usage by users, 

systems, some operating systems do not have quota systems an d enforcing the quotas established by the system manager 

or do not have robust quota functionality. For example, 3Q f or eacn user. Quotas may also be established for directories 

Windows NT (through version 4.0) does not provide a disk where files are stored. The invention's file system filter 

space quota system. Since Windows NT is increasingly driver intercepts every call bound for the file system driver 

being used in large multi-user server environments, it is an d processes each of them with respect to their effect on 

necessary for third parties to provide this functionality. disk space allocation in relation to the established quotas. 

Some have attempted to provide this functionality using 35 ^ invention keeps a persistent database of the estab- 

prior art techniques, but the methods they have used do not Usned ^ ^ the amount of disk space ^ TOs 

satisfactorily accomplish the goal of limiting disk space dataDase ^ upd ated when file allocation changes, and it is 

consumption by users. uscd iQ storc tne quQta information across system boots. 

For example, the prior art for implementing quotas under By using a file system filter driver to implement quotas, 

an operating system such a* > Windows NT version 4.0, where 40 ^ invention ^ able t0 evaluate ^ effects of file system 

the operating system does not itself provide this rations be fore the operation is actually executed. This 

funcuonality, relies upon the operating system's directory aUows me invention to en fo rC e quotas in real time with a 

change notification mechanism to detect file allocation high degree of predsion. Since the invention is in the actual 

changes. Under this approach, if a quota is exceeded file yo . ft cafl M Ws ^ ^ appropriate « Quota 

protections are changed so that users may no longer create 45 Exceedecr statU s code and can maintain an exact record of 

files in the directory to which the quota applies. This method fifc aUocation at any point in time, 
is reactive; it detects changes after they have occurred, and 

has several disadvantages which limit its usefulness: BRIEF DESCRIPTION OF THE DRAWINGS 

1. An appropriate status code cannot be returned^ Chang- foregoing and other objects, aspects and advantages 
ingi file protections results ;in an Access denied status. 50 ^ be ^ Understood from me following detailed 

2. Absolute enforcement of quotas is not possible The descriptio n G f a preferred embodiment of the invention with 
prior art method detects that a quota has akeady been reference to the drawings, in which: 

exceeded. It does not fad an operation which would _ w _ . . , c , . * • 1 

exceed a quota FIG * 1 is a schematic of prior art techniques for imple- 

3. Files that are open cannot be affected. Once a user has 55 me ° tm g q uolas - 

opened a file he may extend it to the limit of available 2 * » *>w <*art for intercepting I/O requests in 

disk space, without being detected or prevented by the accordance with the invention. 

prior art method. FIG - 3 is a flow chart for IRQL post processing in 



SUMMARY OF THE INVENTION 



accordance with the invention. 



It is therefore an object of the present invention to 6 ° DETAILED DESCRIPTION OF A PREFERRED 

implement disk space quotas in a manner which detects EMBODIMENT OF THE INVENTION 

quota violations before they are written to disk. Referring now to the drawings, and more particularly to 

A further object of the invention is to fail a disk I/O FIG. 1, there is shown a prior art method of implementing 

operation which would exceed a quota. 65 quotas by monitoring changes to the file system directory. In 

It is also an object of the invention to apply quotas to files the prior art a kernel process receives an I/O request 11 and 

which have been opened. checks the applicable file protections 12. If applicable file 



6,0! 

3 

protections are violated the I/O request returns "Access 
Denied**. If applicable file protections are not violated, the 
I/O request is completed 13 and the NT directory 16 is 
updated 15. The quota application software 17 detects that 
an I/O event affecting quotas has been executed and then 
evaluates 18 whether an affected file protection in NT 
directory 16 should be changed as a result of the I/O event. 
If an affected file protection should be changed the quota 
application software 17 then changes the file protections 19 
in the NT directory 16. This in turn affects whether a 
subsequent I/O request will be executed. 

In contrast to this prior art method, the present invention 
uses a file system filter to implement a quota system. A 
practical implementation of the invention can be described 
with reference to the Windows NT 4.0 operating system. See 
Inside the Windows NT File System by Helen Custer 
(Microsoft Press, 1994), which is incorporated herein by this 
reference, for a description of the environment within which 
the invention is implemented, in particular Chapter 2 which 
describes the layered driver model. The present invention is 
implemented to provide a quota system for Windows NT 4.0 
as a filter driver on top of the NTFS Driver provided by 
Windows NT. 

A file system filter is a kernel mode driver which inter- 
cepts file system I/O requests before they reach the file 
system driver, and may optionally specify a routine to be 
executed after the file system driver completes a request. 
File system filter drivers are old in the art and have been used 
for on-disk data encryption/decryption, file system perfor- 
mance monitoring, and other purposes. 

Turning now to FIG. 2, when a file system driver in 
accordance with the invention (hereinafter called 
"QaFilter") receives a file system I/O request 21, it processes 
it based on the type of request. The I/O request is evaluated 
22 to determine whether the request, if completed, would 
have an effect on a quota. Such requests (discussed below) 
cover file creation or open, write, change of file ownership, 
file renaming, and change of file compression status. If an 
I/O request 21 is one of these types 23, QaFilter 
determines — prospectively — how the various quotas would 
be affected if the I/O request were completed 24. If that 
determination 24 is that a quota would be exceeded, then the 
I/O request is failed and the routine returns to the caller 25 
with an appropriate "Quota Exceeded** status code 26. If the 
determination 22 is that no quota would be exceeded, a post 
processing routine is specified 27 which will determine the 
actual effect of the operation on disk allocation, and the I/O 
request is completed 28. If an I/O request is determined at 
the evaluation step 22 to be not of a type which could have 
an effect on a quota 29, then it is completed 28. 

Further details of how QaFilter operates with respect to 
I/O requests which may affect quotas will now be explained. 

Create (Open) 

A request to open a file causes QaFilter to create internal 
data structures (not shown) describing the file and the space 
currently allocated to the file. The allocation size of the file 
to be opened is retrieved from the file system and stored in 
the internal data structures so that the effect on file size of 
subsequent operations on the file can be accurately deter- 
mined. 

Write, Set Information (Extend or Truncate) 

A write which extends beyond the current allocated space 
or a Set Information operation which changes the size of the 
file will affect the allocation size of the file on disk. QaFilter 
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calculates the change the operation will have on file alloca- 
tion. If the change would result in exceeding any applicable 
quota, the operation is failed immediately with "Quota 
Exceeded" status. If the change is permissible, a post 

5 processing routine is specified which will be executed after 
the file system has completed the request. The post process- 
ing routine examines the actual effect the operation had on 
disk space allocation for the file and updates the data 
structures for the file, both in memory and in the persistent 

10 database on disk. 

Set Security (Change Owner) 

Since many quotas are based on file ownership, changing 
i5 the owner of a file can affect disk space allocation. When a 
request to change file ownership is received, it is examined 
to determine if it would put the new owner over his quota. 
If so, the request is failed immediately with "Quota 
Exceeded** status. If the change is permissible, a post 
2Q processing routine is specified which will be executed after 
the file system has completed the request. The post process- 
ing routine determines whether the file system successfully 
changed the file ownership, and if so, updates the in-memory 
data structures and the persistent database. The allocation 
size of the file is subtracted from the quota for the old owner, 
and added to the quota for the new owner. 

Set Information (Rename) 

Renaming a file can cause a change in quotas. A file may 
30 be renamed from one directory to another, which may 
change the quotas which apply to the directory where the file 
is located. Rename requests are intercepted, and they are 
examined to determine whether they have any effect on 
quotas. If the request would result in exceeding any appli- 
35 cable quota, it is failed immediately with a "Quota 
Exceeded** status. If the change is permissible, a post 
processing routine is specified which will execute after the 
file system has completed the request. The post processing 
routine examines the effects of the rename operation and 
40 updates the in-memory data structures and persistent data- 
base appropriately. The size of the renamed file (or multiple 
files in the case of a directory rename operation) is sub- 
tracted from any quotas which no longer apply, and added to 
any quotas which now apply, but previously did not. 

45 

File System Control (Set Compression) 

Changing the compression status of a file will affect its 
allocation. When a compressed file is uncompressed, it may 

5Q cause a user to exceed his quota. If this would be the case, 
the request is failed immediately with "Quota Exceeded** 
status. If the uncompress operation is permissible, or a file 
is being compressed, a post processing routine is specified 
which will execute after the file system has completed the 

55 request. The post processing routine determines the effect of 
the operation on disk space allocation and updates the 
in-memory data structures and the persistent database appro- 
priately. 

Cleanup 

60 

When a user closes his handle to a file, QaFilter receives 
a Cleanup request. This causes QaFilter to eliminate any 
in-memory data structures for the file which are no longer 
needed. 
65 Synchronization Issues 

In order to accurately detect changes in file size, opera- 
tions which might affect allocation must be serialized. In 
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order to effect serialization, it is necessary to synchronize the when a new quota is created. This sum is subtracted from all 

operations which are related. In Windows NT, this can be quotas wnich previously applied to the directory and no 

accomplished through the use of a kernel event, which is one , . , . ,_, ' „ , ,. 

of the synchronization objects made available by the oper- lon S er do - aod 11 15 added to al1 Qew <l uotas for the directory, 

a ting system. A kernel event is associated with each open 5 Flushing on Cleanup 

™„ ZJZm SZTJ? " ° f ,W ° h Sta,CS ' ° r " When the user closes his handle to a file, some data he has 
non-signaled. Multiple processes can have a handle to a 

kernel event. When an operation which might affect file size written may still be in cache. The size of a file may change 

is detected, the event for the file is cleared by QaFilter, i.e. when this data is committed to disk, particularly in the case 

reset to the non-signaled or locked state. While the event is %Q of a compressed file, where the file allocation will decrease 

locked, other operations on the file are blocked, waiting for significantly when the data is written to disk. Since QaFilter 

the event to be signaled. The event is signaled in the . „ . , . . C1 - , , 

r? c l - l . j L can no longer effectively track the file after the user s handle 

post-processing routing for the operation which cleared the & y 

event, effectively serializing operations. fa closed, it must force the data to be written to the disk at 

Additionally, QaFilter must serialize access to its internal 1$ this point to get an accurate final file size. It does this by 

data structures. This is done through the use of a single issuing a flush on the file object which represents the user's 

kernel mutex, which is another synchronization object made handle when a cleanup operation occurs. This causes the file 

available by the Windows NT operating system. A mutex is ^ to De updated, and QaFilter can then retrieve an accurate 

useful in coordinating mutually exclusive access to a shared allocation for quota calculations, 

resource (thus the name "mutex"). Only one thread at a time 20 j ue& 

can own a particular mutex. In order to access QaFilter's ^ J ~ ssues 

internal data structures, a thread must own a single kernel Windows NT I/O post-processing routines may execute at 

mutex. This mutex is in a signaled state when it is not owned DISPATCH_LEVEL (IRQL 2) or lower. This causes some 

by any thread, and is reset to a non-signaled or locked state complications for QaFilter, because many routines should 

by a thread which needs to access those data structures. not be called at DISPATCH_I.EVEL. For example, taking 

While so locked, no other thread can access those data a page fault or performing I/O at DISPATCH_LEVEL may 

structures, thus serializing access. cause a system crash. Since QaFilter must access pageable 

Avoiding Recursive Operations file system data structU res and do I/O to retrieve file sizes 

QaFilter must do file system I/O to acquire initial space 30 , A _, . , 4 , • 

, , n l, . and to update the quota database in I/O post-processing, 

used values and to update its database when necessary. This _ . . . . , , _ , 

could cause recutsive calls into QaFilter, resulting in dead- P raCt,Ce ° f the mVenUon re ^ mreS a method to P erform these 
locks if a resource is held. To avoid this situation, the thread °P«ations without using DISPATCH — LEVEL, 
id of the thread which accesses the quota database, and of a Turning now to FIG. 3, if the filesystem's dispatch routine 
thread created to do a file system scan, is recorded, and any 35 31 returned a status other 32 than STATUS_PENDING 33, 
I/O from those threads is ignored by QaFilter and passed then the NT I/O completion routine does not do post- 
directly to the file system driver. processing. Instead, it just returns STATUS_SUCCESS, 
Paging I/O anc l tQe processing is performed by QaFilter's dispatch 
Paging I/O does not cause file allocation to change and is w 3? ^ ^ , ha , the post . processing be 
.goored. Ignoring pagtng .I/O aUows much of the driver's done >f PASSIVE _ L EVEL (IRQL 0). 
code to be pageable (incurring a page fault while processing 

a page fault causes a system crash), and improves perfor- If the System's dispatch routine returned STATUS, 

mance by involving QaFilter only when necessary. PENDING 33, then QaFilter's dispatch routine has already 

Retrieving Initial File Allocation 45 returned, and the user's I/O may be asynchronous. This 

In some cases, e.g. 'when opening a file for overwrite means QaFilter must do other work to guarantee executing 

access, QaFilter must retrieve the size of a file before the file the post-processing functions at PASSI VE__LEVEL. If the 

is actually opened. Ordinarily, QaFilter gets the size of a file NT I/O completion routine is executing at PASSI VE_ 

by doing an I/O against the file object which represents the 5Q LEVEL (a determination made at block 34 in FIG. 3), then 

user's handle to the file. However, before the file is opened, QaFilter's post-processing routine 37 is called directly 38, 

the file object does not represent a valid handle. In this case, allowing for greatest performance. If the NT I/O completion 

QaFilter opens the file before the user's open is processed, routine is called at DISPATCH__LEVEL (a determination 

getting it's own handle to the file. This handle is used to made at block 34 in FIG. 3), then QaFilter's post-processing 

retrieve the allocation information. Then QaFilter's handle 55 rou tine is queued 35 to a pool of worker threads which 

is closed, and the user's open request is allowed to proceed. execute at PA SSI VE__LEVEL, and the I/O completion is 

Renaming Directories delayed by returning 36 STATUS_MORE_ 

Renaming a directory which is subject to quotas presents pROCESSING_REQUIRED to the I/O Manager. When the 

special problems. When a directory is renamed, causing the , t . 

set of quotas which apply to the directory to change, the sum 60 ™* er | hread has post-processing, it completes 

oftheallocationofallthefilesinthatdirectoryandallofifs the I/O by calling IoCompleteRequest. 

subdirectories must be used to adjust the applicable quotas. The best' mode of implementing the features of the 

This is a case where an operation on one file (the directory) invention shown and described in connection with FIG. 3 is 

affects many other files. When such an operation occurs, 65 further detailed in the following Appendix, which sets forth 

QaFilter calculates the allocation size for the entire directory the details in programming language which will be under- 

by doing a "scan", the same operation which takes place stood by those skilled in the art 
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APPENDIX 



NTSTATUS FASTCALL set_completion ( 

PDEVICE_OBJECT device_object, 
PIRP up, 
PQA_COMPLETlON_ROUTINE routine, 
PQFCB qfcb) 

NTSTATUS status -3D STATUS_SUCCESS; 

PDEVICE_OBJECT target_device -3D NULL; 

PIO_STACK_LOCATTON irp_sp -3D NULL; 

PIO_STACK__LOCATTON Lrp_next_sp -3D NULL; 

PlRP_CONTEXT irp_context -3D NULL; 

PFILE_OBJECT file_obj; 
PAGED_CODE0; 
Trace Enter("set__co mp le tio a**); 

target_device -3D ((PFILTER_DE V_EXTENS ION) 
=device_object->DevioeExtension)->fe_device; 

irp_sp -3D IoGetQirrentlrpStackLocation ( 
irp)". 

file__obj -3D irp__sp->FileObject; 

irp__next_sp -3D loGetNextirpStackLocation ( 

up); 

irp_ncxt_sp-> Major Function -3D 
irp__Sp->MajorFunction; 

irp_ncxt_sp->MinorFunction -3D 
irp_^sp->MinorFunction; 

irp_next_sp-> Flags -3D irp_sp->Flags; 

irp__next__sp->Parameters -3D irp sp-> Parameters; 

irp_next_sp->FileObject -3D irp_sp->FileObject; 

irp_next_sp->DeviceObject -3D tar get_dc vice; 
irp_context -3D crcate_irp_context ( 
devicc_object, 

"?> 
qfcb); 

if (irp_context -3D-3D NULL) 
{ 

return STATUS_INSUFFlCIENT_RESOURCES; 

} 

irp_context->completion_routine -3D routine; 
toSetCompletionRoutine ( 
irp, 

post process, 

irp context, 

TRUE, 
TRUE, 
TRUE); 
status -3D loCallDriver ( 
target__device, 

up); 

if (status !-3D STATU S_P ENDING) 
{ 

(VOID) (• routine) ( 

irp_context); 
free irp_context ( 

irp_context); 

} 

return status; 

} 

NTSTATUS post_process ( 

PDEVICE_OBJECT devobj, 
PIRP irp, 

PIRP_CONTEXT irp_contexl) 

{ 

NTSTATUS status -3D STATUS SUCCESS; 

PIO_STACK_LOCATION irp_jsp -3D 

loGetCuirenUrpStackLocation(irp); 

PS ID owner -3D NULL; 

PQSEC_DESC sd -3D NULL; 
// 

// If loCallDriver returned PENDING, mark our 
// stack location with pending. 

// 

irp_.context->io_status -3D irp->IoStatus.Status; 

irp_context->io info -3D irp->loStatus Information; 

if (! irp- >Pcnding Re turned) 

{ 

return STATUS_SUCCESS; 

} 
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-continued 



APPEND DC 



toMarkIrpPcnding( irp ); 

if (KeGetCurreatlrql 0 -3D-3D PASS tVE_ LEVEL) 
{ 

status -3D (•irp_context->completion routine) ( 
irp _co n text); 

free_iip_context ( 
irp_context); 
return status; 

} 

else 

{ 

Ex Initialize Wo rkltem ( 

& irp_context->work_ite tn, 

work post, 

iip__context); 
QaQueue Worklte m ( 

& irp__coo text- >wo rk_ite m, 
CriticalWorkQueue); 
return STATUS_MORE_PROCESSING_REQUIREL> 

} 

} 

VOID work_post ( 

PlRP__CONTEXT irp_context) 

{ 

PAGED_CODE0; 

(•irp_contcxt->complctiorj routine) ( 

irp context); 

LoCo mp Ictc Request ( 

irp contcxt->irp, 

IO_NO_lNCREMENT); 
free_irp_context ( 

irp_context); 

return; 

NTSTATUS FASTCALL synchro no us _complction ( 

PDEVTCE_OBJECT device_object, 
PIRP irp, 
PQA_COMPLETION_ROUTINE routine, 
PQFCB qfcb) 

NTSTATUS status -3D STATUS_SUCCESS; 

NTSTATUS io_call_status -3D 

STATUS_SUCCESS; 
PDEVICE_OBJECT targct_device -3D NULL; 

PIO_STACIC_LOCATTON irp_sp -3D NULL; 
PIO__STACK_LOCATION irp_aext_sp -3D NULL; 
PIRP_CONTEXT irp_context -3D NULL; 
PFTLE_OBJ ECT ftle_obj; 
PAGED_CODE0, 
Trace En ter("set_compIcuon' T ); 

target device -3D ((PFUTER_DEV_EXTENSlON) 
-device_object-> Device Ex tens ion) ->£s_device; 

trp_sp -3D IoGetCurTentlrpStackLocation ( 
irp); 

flle_obj -3D irp_sp->FileObject; 

irp_acxt_sp -3D loGetNextlrpStackLocation ( 

up); 

irp _next sp- > Ma j o r Functio n -3D 

irp_sp->MajorFunction; 

irp oext sp->MinorFunction -3D 

irp_sp->MinorFuncu*o n; 

irp_next_sp- >Flags -3D irp_sp->Flags; 
irp __oext_sp-> Parameters -3D Lrp_sp-> Parameters; 
irp__next_sp->FileObject -3D irp __s p- > FrleObj e ct; 
. irp__next_sp->DeviceObject -3D targct_device; 
irp _con text -3D crcate_irp_context ( 
device _object, 
irp, 
qfcb); 

if (irp_coatcxt -3D-3D NULL) 

^ return STATUS INSUFHCIENT__R ESOU RCES ; 

} 

irp_contrxt->coQmlelion_routine -3D routine; 
KetrutializeEvenl ( 

& irp_context->event, 

NotificationEvent, 



